Privacy and Security within an Interoperable EHR



Similar documents
The EHR Agenda in Canada

SOA in the pan-canadian EHR

Canada Health Infoway

SOA in the pan-canadian EHR

Creating a national electronic health record: The Canada Health Infoway experience

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

2009 Progress in Comprehensive Care for Rare Blood Disorders Conference

International HL7 Interoperability Conference - IHIC 2010

Electronic Health Record Infostructure (EHRi)

Electronic Health Record (EHR) Privacy and Security Requirements

Privacy & Security Requirements: from EHRs to PHRs

March 31, Dear partners and collaborators:

Provincial Forum on Adverse Health Event Management

Canada Health Infoway Update

ONTARIO S EHR CONNECTIVITY STRATEGY IMPROVING PRIMARY TO SPECIALIST REFERRAL THROUGH INTEGRATION. Peter Bascom Chief Architect, ehealth Ontario

How To Write An Ehr Blueprint

Health: Electronic Health Records

Electronic Health Records

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

Electronic Health Records: A Global Perspective. Overview

Singapore s National Electronic Health Record

Pan-Canadian Nursing Electronic Health Record (EHR)Business and Functional Elements to Support Clinical Practice

RFP#: Issue Date: October 16, 2014

IMPROPER USE OF MEDICAL INFORMATION

The Big Picture: IDNT in Electronic Records Glossary

Data Analytics in Health Care

The Structure of the Healthcare System and Its ITC From National to Institutional

Table of Contents. Page 1

Canada Health Infoway Inc. White Paper on Information Governance of the Interoperable Electronic Health Record (EHR)

IBM Software. IBM Initiate: Delivering Accurate Patient and Provider Identification for Canadian Electronic Health Records

Diagnostic Imaging and the Electronic Health Record

Overview of ehr Development. Slide - 1

Information Sharing Agreements for Disclosure of EHR Data within Canada

National Integrated Services Framework The Foundation for Future e-health Connectivity. Peter Connolly HSE May 2013

Future Directions for Digital Health in Canada

GOVERNANCE OPTIMIZATION

Ontario s ehealth Blueprint

ONTARIO EHR INTEROPERABILITY STANDARDS WHY STANDARDS MATTER

INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1

Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 (PHC EMR CS) Frequently Asked Questions

Standards and their role in Healthcare ICT Strategy. 10th Annual Public Sector IT Conference

Canada's Global Viewpoint: Emerging Technologies and Healthcare Interoperability

Building Regional and National Health Information Systems. Mike LaRocca

Portal and Web Application Connectivity

CareConnect. Current State and Blueprint Context. Version 1.1

Overview of global ehealth initiatives

Selected Annotated Bibliography Personal Health Information, Privacy and Access

Pan-Canadian Approach to Allergy, Intolerance and Adverse Reaction (interoperable EHR)

Logical Architecture Introductory Document

Electronic Health Record Systems and Secondary Data Use

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

CONNECTING ONTARIO THROUGH THE CONNECTIVITY STRATEGY. Peter Bascom, Chief Architect Mike Krasnay, Director of Integration and Solution Architecture

EHR Standards Landscape

HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Identity Management: Securing Information in the HIPAA Environment

Enabling Integrated Care

Provincial Laboratory Information Solution (PLIS) and Interoperable Electronic Health Record (iehr) Project Summary. August 2007

Presenter. Deborah Kohn, MPH, RHIA, CHE, CPHIMS Principal Dak Systems Consulting San Mateo, CA

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

REQUEST FOR INFORMATION (RFI) Health Interface Engine Solution

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Personal Health Information Privacy Policy

New York ehealth Collaborative. Health Information Exchange and Interoperability April 2012

Thomas Vargoczky, GM of Mach7 Technologies ANZ

E-HEALTH PLATFORMS AND ARCHITECTURES

Standardization of the Australian Medical Data Exchange Model. Michael Legg PhD

HIT Workflow & Redesign Specialist: Curriculum Overview

SASKATCHEWAN COLLEGE OF PHARMACISTS Electronic Transmission of Prescriptions. Policy Statement and Guidelines for Pharmacists

BLUEPRINT FOR THE FEDERATION OF IDENTITY MANAGEMENT

Health Information and Quality Authority. To drive continuous improvements in the quality and safety of health and social care in Ireland

AuditorGeneral. of British Columbia. Electronic Health Record Implementation in British Columbia

Table of Contents. Preface CPSA Position How EMRs and Alberta Netcare are Changing Practice Evolving Standards of Care...

<Insert Picture Here> SOA kot temelj Ogrodja zvem

Ontario Laboratories Information System Electronic Medical Records Initiative. Privacy Impact Assessment Summary

Participating in a Health Information Exchange (HIE) Many Faces of Community Health /27/11 Greg Linden

White Paper Healthcare Supply Chain Traceability

Building Health Informatics Community: HL7 Pakistan

Transcription:

1 Privacy and Security within an Interoperable EHR Stan Ratajczak Director Privacy and Security Solutions Architecture Group November 30, 2005 Electronic Health Information and Privacy Conference Ottawa Congress Center Agenda 2 Introduction to Infoway and it s privacy / security mandate The Privacy and Security Architecture initiative Key privacy and security challenges for an interoperable EHR 1

3 Canada s Strategic Response to EHR Challenges F/P/T governments agreed to take a national approach that could: - Develop solutions that operate across organizations, clinical systems, & jurisdictions - Share risks and costs across a broad constituency - Collect and share best practices - Help establish and drive standards for interoperability - Provide platforms for National Public Health Surveillance systems - Increase the market size and hence private sector responsiveness Canada Health Infoway launched: an independent, not-for-profit corporation, equally accountable to 14 F/P/T governments invests on a 75/25 basis with provinces & territories for eligible projects A unique approach was adopted, based on collaboration across Canada s healthcare jurisdictions Canada Health Infoway 4 Mission To foster and accelerate the development and adoption of electronic health information systems with compatible standards and communications technologies on a pan- Canadian basis, with tangible benefits to Canadians. To build on existing initiatives and pursue collaborative relationships in pursuit of its mission Goal To have an interoperable electronic health record in place across 50 percent of Canada (by population) by the end of 2009 2

Infoway s Role Strategic Investor 5 Infoway focuses on initial investment in a solution & its deployment. Our unique role is in providing strategic leadership. Funder Strategic Investor Intervener Developer Fund & ignore Invest, advise & monitor Invests with Partners Involved in project planning Monitors progress of projects and quality of deliverables Gated funding manages risk Leadership in setting strategic direction and standards for EHR deployment across Canada Work alongside & take over if needed Infoway is Not Write code & build modules A Granting Agency A Venture Capital Fund A builder, direct implementer or holder of proprietary solutions And does not collect data Tying it all together - Service Oriented Architecture JURISDICTIONAL INFOSTRUCTURE 6 Registries Data & EHR Data & Client Provider Shared Health Record Drug Information Diagnostic Imaging Laboratory Location Terminology Longitudinal Record HIAL HIAL Provides standardsbased message set for securely exchanging patient information EMR Common Communication Bus Patient Info Patient History Drug Profile Laboratory Diagnostic Imaging An interoperable EHR captures all key clinical data on one screen (role-based) 3

Privacy and Security 7 Addressing privacy and security issues are key to the success of the EHR End users (patients, physicians, health facilities) must have confidence and trust that privacy and security are being adequately addressed 80% of Canadians rate EHRs as a strong improvement over paper records in terms of the effectiveness for all those involved in the health care system and for the system overall* 84% agree that timely and easy access to personal health information is integral to the provision of quality health care** *EKOS survey of 2000 Canadians, 2003 **EKOS survey of 2500 Canadians, 2004 Infoway s Privacy Mandate 8 Infoway s funding agreement requires it to: incorporate the protection of personal health information in its activities in accordance with applicable laws and privacy principles. Infoway achieves this by: ensuring that privacy and security are addressed in the projects it funds; Infoway requires every project it supports to conduct a Privacy Impact assessment PIAs are expected to describe how the system will function and how it will address privacy rules in place in the jurisdiction This means that developers must consider privacy in all phases of a project, (design, development and deployment) not after the fact 4

9 Meeting Infoway s Privacy and Security mandate Infoway achieves this by: working to identify and leverage best practices for re-use across the country Infoway s pan-canadian view means that if a project in Ontario is looking at technical privacy solutions we can support that work and ensure it is available to other jurisdictions working to ensure that projects adopt an interoperable approach Infoway has worked with technology and privacy experts across the country to develop: A statement of privacy requirements for an interoperable EHR system A privacy and security architecture 10 Overview of the Infoway Pan Canadian Privacy and Security Conceptual Architecture Project 5

The iehr Privacy and Security Challenge! Sharing Personal Health Information 11 Will you protect the privacy and confidentiality of PHI? Clinic Home Care Emergency Can we share information? Community Care Centers Is authentication and authorisation reliable? Sharing of PHI Clients Pharmacy Who are you? i.e organisation and provider Specialist Clinic Hospital Emergency Are you authorised to access PHI? Diagnostic Center Laboratory 12 Why Do We Need a Privacy and Security Architecture? Trust in the interoperable EHR is based on the assumption that it is private and secure. This is fundamental to acceptance and adoption by governments, healthcare providers and the public As Personal Health Information (PHI) is shared across disparate systems, privacy and security are no longer local issues therefore must be interoperable Infoway leadership Stakeholders expect the Infoway Blueprint to provide the vision of a privacy protective and secure interoperable EHR 6

13 What is the Privacy and Security Architecture? It operationalises Pan Canadian Healthcare privacy obligations and best practices The PSCA document provides a conceptual view of different privacy and security services and components in the EHRi and how they interact with one another to facilitate interoperability within and across jurisdictions It is developed to be flexible it allows jurisdictions to use those features that are consistent with local legislative requirements yet support minimum interoperability requirements A comprehensive set of documents that will guide jurisdictions in the development or procurement and implementation of secure and privacy enhancing interoperable EHRs across Canada 14 The Privacy and Security Architecture process PHIPA AB-HIA MB-PHIA Others Legislative Obligations Privacy Policies Privacy Legislation Technology Technology Architectures Architectures are are Driven Drivenby byprivacy and and security security requirements requirements Policy & Procedures Admin Requirement Tech Requirement Privacy protective &secure HealthCare Solutions Privacy & Security Requirements Conceptual Architecture Logical Architecture Detailed Architecture Policy & Procedures Admin Requirement Tech Requirement Tech Requirement 7

Project Methodology 15 The Pan Canadian Privacy and security architecture is based on: The following sources of guiding principles Canadian CSA Privacy Model Code Internationally recognized Information Security Management standards ACIET Pan Canadian Privacy and Confidentiality Framework A clear articulation of business and legislative requirements based on a Pan Canadian privacy legislative scan Identifies Pan Canadian privacy and security obligations Development of Pan Canadian privacy and security requirements for an interoperable EHR Consultative process Multi disciplinary group of over 80 privacy and security experts, including National Provider Associations and vendors where consulted and provided invaluable input 3 stage consultation process; Requirements validation, Architecture validation and a final revision cycle Privacy Requirements Organizing Framework Privacy Framework The privacy requirements for an interoperable EHR are organized according to the 10 privacy principles of the Canadian Standards Association s Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) The Code was published in March 1996 as a national standard for Canada The 10 core principles in the CSA Model Code facilitate an easily recognisable, principled approach to data protection in an EHR environment Security framework The security requirements for an interoperable EHR are organized according to ISO/IEC 17799-1:2000 Code of Practice for Information Security Management The ISO 17799 Code of Practice is a widely adopted international standard for information security management 16 8

Objectives of the P&S Requirements Document 17 To identify the Privacy and Security business requirements for an interoperable EHR Policy & Procedures Policies and procedures Comprehensive set of requirements including policy, administrative and technology aspects Admin Requirements Provide rationale for each requirement To contribute to the identification of the Privacy and Security services necessary to implement an interoperable EHR Tech Requirement Key Features of the privacy and security architecture 9

Key Features of the PSA JURISDICTIONAL INFOSTRUCTURE 19 Registries Data & EHR Data & Client Provider Shared Health Record Drug Information Diagnostic Imaging Laboratory Location Terminology HIAL Authenticated providers Patients privacy rules systems Longitudinal Record Authorized providers Integrity of PHI Common Communication Bus Privacy enhanced Confidentiality of PHI Audit trace Patient Info EMR Patient History Laboratory Drug Profile Diagnostic Imaging Clinic Key Features To Access Personal Health Information 20 1. PHI is to be only accessed by authorized Healthcare providers Provision for jurisdictional or regional access control rules applied in a consistent manner i.e. Psychiatric information may not be available to the GP i.e. Radiology reports not available to the ADT clerk 2. Patients have the right to determine the purpose, when and who can access their PHI Where applicable by law, PHI is only made available to a Healthcare provider if the appropriate jurisdictional and/or patient derived privacy rules are satisfied i.e. Patient consent or masked data 3. Prevent unauthorized access to PHI The use of encryption technologies to protect against unauthorized access (confidentiality and Integrity) to PHI whether in storage or during transmission 10

Key Features The Right Information to the Right Person 21 4. Ensure that Healthcare providers are uniquely identified, authenticated and authorized to access PHI in a trustworthy common manner notwithstanding where they access PHI Single sign on with one electronic credential (ID) recognised by all applications (Federated ID is the goal) Defining and applying standardized predefined roles across disparate healthcare applications Creation and validation for Digital Signature on electronic documents, i.e. eprescribing, proof of authoring of, and acceptance of reports Audit Trace required for consent override and access: a fundamental privacy requirement who, what, when, why has accessed PHI 22 Key Features PHI Is Accessed at the Right Time - in the Right Context 5. Information not typically available can be accessed in emergency situations Support for predefined conditions for overriding privacy and access control rules Support for extensive audit traceability in cases of exception 6. Concerns about the privacy risks of centralized data bases Highly secure data centres Federated data bases such that not all of a person s data is within one database or in one data centre Encrypt all PHI data Privacy protective backup, namely encrypted Use mechanisms to allow for de-identification and re-identification of PHI 11

Privacy and Security (Future State) 23 JURISDICTIONAL INFOSTRUCTURE Registries Data & Ancillary Data & EHR Data & Data Warehouse Client Provider Location Terminology HIAL Outbreak Management Business Rules PHS Reporting EHR Index Shared Health Record Drug Information Diagnostic Imaging Common Laboratory Message Normalisation PRIVACY AND SECURITY Structures Rules Identity Protection Anonymisation Consent Directives Mgmt Identity Mgmt User Authentication Encryption Security Privacy Configuration Access Control Management Secure Auditing Data DataDigital Signature Common General Security Longitudinal Record Communication Bus Health Information POS System Clinical Viewer POINT OF SERVICE User How Will the PSA Help Infoway Stakeholders? 24 It provides a vision of how iehr systems can be developed to meeting the demanding requirements of sharing PHI in the health care sector while respecting privacy, confidentiality and security Information must be shared immediately and accurately among a range of health care providers for the benefit of the individual yet remain secure and confidential It provides a roadmap for stakeholders during product procurement, system design, development, implementation and operation of interoperable EHR solutions Used while performing Privacy Impact Assessments Provides guidance to the vendor community to ensure they design privacy and security solutions for an interoperable EHR 12

Key privacy and security challenges for an interoperable EHR Key Privacy and Security Challenges Operational Governance of an iehr 26 Funding & operations of governance entities Clinic Home Care Emergency Definition of common Governance frameworks & models Rules for accreditation and conformance Community Care Centers Definition of liability and dispute resolution mechanisms Specialist Clinic Sharing of PHI Clients Definition of operational privacy and security Hospital standards Emergency Definition of risk management Laboratory framework PIA, TRA Diagnostic Center Definition of shared accountability Framework Pharmacy 13

Key privacy and security Challenges Interoperability privacy and security standards 27 Privacy and security messaging standards Facilitate & support the development of privacy and security messaging standards for; authentication, access control, consent directive management Required to support interoperability of privacy and security functions across disparate systems and technologies. Increase adoption by the vendor community Facilitate the implementation of consistent level of privacy and security within The EHRS Key privacy and security Challenges Interoperability privacy and security standards 28 Privacy and security messaging standards EHRi Generic Communication Interface (focused on wrappers and protocols): Security Management & Communication Interface Interoperable EHR Program - Privacy and Security Messaging Standards EHRi Application Identification, authentication and authorisation EHRi POS Application Identification, authentication and authorisation EHRi User Identification, authentication and authorisation EHRi User Role and rights management EHRi Client Consent Directive (flag- metadata) EHRi Check Consent Directive EHRi Provider Digital Signature Privacy Taxonomy (protected ID mapping) 14

Thank You Questions? Main website www.infoway-inforoute.ca Knowledgeway http://knowledge.infoway-inforoute.ca/ Forums http://forums.infoway-inforoute.ca E-mail: sratajczak@infoway-inforoute.ca 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information